Access any files on a remote Netware Server behind a WAN, VPN or other WAN-like connection.

  • 7002985
  • 13-Apr-2009
  • 26-Apr-2012

Environment

Novell Netware 5.1
Novell Netware 5.1 Service Pack 5
Novell Netware 6
Novell Netware 6 Service Pack 2
Novell Bordermanager Site to Site VPN

Situation

Various intermittent problems accessing files located on a remote Netware server.
Error messages depend on the used application, among  others are "Error performing in page operation" trying to copy files in Explorer or using "copy" in a command window.
Packet loss due to MTU restrictions on the way between client and server
Access any files on a remote Netware Server behind a WAN, VPN or other WAN-like connection.

Resolution

There are three possible ways to solve this problem.

First possibility is to allow the NCP over IP packets to get fragmented. Note that fragmentation is usually not desired as it can introduce performance problems.

To allow fragmentation of NCP packets to occur, one has to type set always allow ip fragmentation=on at the server console or in the AUTOEXEC.NCF file  on the problem server. This will remove the DF (Don't Fragment) flag from the packets, thus allowing the routers on the way to split the packets into smaller pieces so that they can be delivered successfully.

The second possibility is to make the problem server honor "ICMP Can't Fragment" packets. Usually, when a router receives a packet that is too big to travel over the next hop, and the packet has the DF flag set, the router will send a special ICMP packet back to the sender, a so-called "Can't Fragment" packet. This tells the sender that the packet he sent is too big to travel over the link. The sender can now retry, but with a smaller packet size (MTU), until delivery succeeds. To enable this behaviour in Netware, one has to type set tcp path mtu black hole detection and recovery=on at the server console or in the AUTOEXEC.NCF file on the problem server.

Note that this is a hidden set parameter, so one either has to manually enter it on the server console, use "load monitor !h" to enable monitor to display hidden set parameters, or use portal or NORM with display hidden set parameters enabled to see it.

Important: For path MTU detection to work, ICMP has to be allowed. If an in between firewall filters all ICMP messages, this cannot work, as the ICMP "Can't Fragment" packet will obviously never reach the server. Although it's often advised for security reasons, for the reasons described here it's not always advisable to blindly filter all ICMP traffic on a firewall.

Third possibility, and also the least desired, is to manually and statically lower the MTU on the server. For instance, if the link between the client and the problem server is a Novell BorderManager VPN, the normal MTU of the VPN link is 1486 bytes because of the encryption overhead. To force the server to use packets no bigger than 1486 bytes, one need to type "set maximum interface MTU=1486 and set use specified MTU=on either at the server console or in the AUTOEXEC.NCF file. Note this will reduce the maximum size of all packets this server can generate, and as such will introduce a general performance hit. This should be used as a last resort only.

Additional Information

Server sends NCP over IP packets to the client that are too big to travel over the link.
NCP over IP packets by default have "Don't Fragment" bit set.
Netware Server by default ignores "ICMP Can't Fragment" packets from routers
Netware Server by default has path MTU discovery disabled
Formerly known as TID# 10077465